Data breaches at big retailers are becoming almost commonplace, and class actions by affected consumers are typically not far behind.
Now, a federal appeals court in Chicago has made it harder for retailers who are hacked to have these lawsuits dismissed on procedural grounds.
Neiman Marcus Group LLC, which disclosed it had been hacked in January 2014, had persuaded a U.S. district court in Chicago to throw out a case based on standing. The consumers had sued Neiman Marcus for negligence, breach of contract and deceptive business practices.
But on Monday, a three-judge panel of the U.S. Court of Appeals for the Seventh Circuit said the luxury retailer must face a proposed class action that claims it failed to protect customers from hackers who stole credit and debit information belong to about 350,000 people.
The plaintiffs sought to represent those customers whose data may have been hacked. According to the decision, while 9,200 of those cards were known to have been used fraudulently, the trial court shouldn’t have dismissed the suit.
While reviving the plaintiffs’ suit, the appellate panel noted that these types of claims had limits.
The plaintiffs had argued that “they overpaid for the products at Neiman Marcus because the store failed to invest in an adequate security system.” The court clearly didn’t place much weight on this allegation.
The plaintiffs “allege that they would have shunned Neiman Marcus had they known that it did not take the necessary precautions to secure their personal and financial data,” the court held. “They appear to be alleging some form of unjust enrichment as well: Neiman Marcus sold its products at premium prices, but instead of taking a portion of the proceeds and devoting it to cybersecurity, the company pocketed too much.
This is a step that we need not, and do not, take in this case.”
The plaintiffs also alleged that they had a concrete injury in the loss of their private information, but the court said federal law didn’t recognize private information as a property right without more.
A case doesn’t arise from unauthorized credit charges if those affected “were automatically reimbursed, their identities were not stolen, and they could not show that there was a substantial risk of lack of reimbursement or further use of their information.”
Ginger Reeder, a spokeswoman for Dallas-based Neiman Marcus, said the company wouldn’t comment on the ruling. David Hoffman, a partner at Sidley Austin LLP who represents Neiman Marcus, didn’t respond to an e-mail seeking comment.
The Neiman Marcus data breach was one of several recent attacks on credit information at U.S. retailers including Target Corp. and Home Depot Inc.
The case is Remijas v. Neiman Marcus Group LLC, 14-3122, U.S. Court of Appeals for the Seventh Circuit (Chicago).